ScreenShot
| Created | 2024.11.08 17:09 | Machine | s1_win7_x6403 |
| Filename | njrtdhadawt.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 57 detected (AIDetectMalware, Vidar, Malicious, score, Trojanpws, Stealerc, GenericKD, Unsafe, confidence, 100%, Attribute, HighConfidence, Windows, Threat, MalwareX, Trojanx, TrojanPSW, ccmw, RwpfUun1AkD, ytrmh, Real Protect, high, Static AI, Malicious PE, Detected, HeurC, KVMH017, PasswordStealer, Malware@#1htwwghok0jyt, ABTrojan, FXUB, Artemis, BScope, CoreBot, GdSda, Gencirc, Steam, Cometer) | ||
| md5 | 96e4917ea5d59eca7dd21ad7e7a03d07 | ||
| sha256 | cab6c398667a4645b9ac20c9748f194554a76706047f124297a76296e3e7a957 | ||
| ssdeep | 24576:ajfMVHefX7eO2FwYPMGNL/geFyNcTN+jv75TQn652VBuNyb2i:oEQreO8wRGJtF4ch+jvNm0Nyb2 | ||
| imphash | dae99f55715d10799c7a5f3e0cd9d13d | ||
| impfuzzy | 96:SqDwT3AfXboXMUt5a5YTWmVM+JtdBZMXm4Qp:BDwT3AToTtrMW4Qp | ||
Network IP location
Signature (21cnts)
| Level | Description |
|---|---|
| danger | File has been identified by 57 AntiVirus engines on VirusTotal as malicious |
| watch | Checks the CPU name from registry |
| watch | Collects information about installed applications |
| watch | Deletes executed files from disk |
| watch | Harvests credentials from local FTP client softwares |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries |
| notice | Queries for potentially installed applications |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Tries to locate where the browsers are installed |
Rules (26cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Generic_Malware_Zero | Generic Malware | binaries (upload) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (upload) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (download) |
| watch | Malicious_Packer_Zero | Malicious Packer | binaries (upload) |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| info | anti_dbg | Checks if being debugged | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
PE API
IAT(Import Address Table) Library
msvcrt.dll
0x42f254 strncpy
0x42f258 malloc
0x42f25c _wtoi64
0x42f260 ??_V@YAXPAX@Z
0x42f264 atexit
0x42f268 strcpy_s
0x42f26c memchr
0x42f270 strchr
0x42f274 strtok_s
0x42f278 ??_U@YAPAXI@Z
0x42f27c _time64
0x42f280 srand
0x42f284 rand
0x42f288 memmove
0x42f28c __CxxFrameHandler3
KERNEL32.dll
0x42f020 GetEnvironmentStringsW
0x42f024 FreeEnvironmentStringsW
0x42f028 GetModuleFileNameA
0x42f02c HeapSize
0x42f030 WideCharToMultiByte
0x42f034 IsValidCodePage
0x42f038 GetOEMCP
0x42f03c ExitProcess
0x42f040 SetCriticalSectionSpinCount
0x42f044 FlsAlloc
0x42f048 HeapAlloc
0x42f04c GetCurrentProcess
0x42f050 HeapFree
0x42f054 VirtualFree
0x42f058 GetProcessHeap
0x42f05c WriteFile
0x42f060 VirtualAllocExNuma
0x42f064 Sleep
0x42f068 ReadFile
0x42f06c CreateFileW
0x42f070 lstrcatA
0x42f074 MultiByteToWideChar
0x42f078 GetTempPathW
0x42f07c GetLastError
0x42f080 lstrcmpiA
0x42f084 GetProcAddress
0x42f088 VirtualAlloc
0x42f08c GlobalMemoryStatusEx
0x42f090 ConvertDefaultLocale
0x42f094 lstrcmpiW
0x42f098 GetModuleHandleA
0x42f09c VirtualProtect
0x42f0a0 CloseHandle
0x42f0a4 lstrlenA
0x42f0a8 FreeLibrary
0x42f0ac GetThreadContext
0x42f0b0 SetThreadContext
0x42f0b4 ReadProcessMemory
0x42f0b8 VirtualAllocEx
0x42f0bc SetHandleCount
0x42f0c0 VirtualQueryEx
0x42f0c4 OpenProcess
0x42f0c8 GetComputerNameA
0x42f0cc FileTimeToSystemTime
0x42f0d0 WaitForSingleObject
0x42f0d4 GetDriveTypeA
0x42f0d8 CreateProcessA
0x42f0dc CreateDirectoryA
0x42f0e0 GetLogicalDriveStringsA
0x42f0e4 CreateThread
0x42f0e8 CreateFileA
0x42f0ec GetFileSize
0x42f0f0 SetFilePointer
0x42f0f4 MapViewOfFile
0x42f0f8 UnmapViewOfFile
0x42f0fc lstrcpynA
0x42f100 SystemTimeToFileTime
0x42f104 GetTickCount
0x42f108 GetLocalTime
0x42f10c CreateFileMappingA
0x42f110 GetFileInformationByHandle
0x42f114 lstrcpyA
0x42f118 HeapSetInformation
0x42f11c GetCommandLineA
0x42f120 HeapReAlloc
0x42f124 GetCPInfo
0x42f128 GetLocaleInfoW
0x42f12c LoadLibraryW
0x42f130 InterlockedExchange
0x42f134 SetConsoleCtrlHandler
0x42f138 IsProcessorFeaturePresent
0x42f13c GetCurrentThread
0x42f140 InterlockedDecrement
0x42f144 GetCurrentThreadId
0x42f148 SetLastError
0x42f14c InterlockedIncrement
0x42f150 GetACP
0x42f154 TlsFree
0x42f158 TlsSetValue
0x42f15c GetFileType
0x42f160 QueryPerformanceCounter
0x42f164 GetStartupInfoW
0x42f168 GetCurrentProcessId
0x42f16c GetSystemTimeAsFileTime
0x42f170 LCMapStringW
0x42f174 WriteProcessMemory
0x42f178 GetStringTypeW
0x42f17c TlsGetValue
0x42f180 TlsAlloc
0x42f184 RaiseException
0x42f188 IsValidLocale
0x42f18c EnumSystemLocalesA
0x42f190 GetLocaleInfoA
0x42f194 GetUserDefaultLCID
0x42f198 GetModuleFileNameW
0x42f19c GetStdHandle
0x42f1a0 GetModuleHandleW
0x42f1a4 HeapDestroy
0x42f1a8 HeapCreate
0x42f1ac RtlUnwind
0x42f1b0 EnterCriticalSection
0x42f1b4 FatalAppExitA
0x42f1b8 LeaveCriticalSection
0x42f1bc DeleteCriticalSection
0x42f1c0 TerminateProcess
0x42f1c4 UnhandledExceptionFilter
0x42f1c8 SetUnhandledExceptionFilter
0x42f1cc IsDebuggerPresent
0x42f1d0 EncodePointer
0x42f1d4 DecodePointer
0x42f1d8 InitializeCriticalSectionAndSpinCount
USER32.dll
0x42f210 GetDesktopWindow
0x42f214 OpenDesktopA
0x42f218 CreateDesktopA
0x42f21c CloseDesktop
0x42f220 OpenInputDesktop
0x42f224 wsprintfW
0x42f228 IsDialogMessageW
0x42f22c MessageBoxA
0x42f230 GetWindowLongW
0x42f234 ReleaseDC
0x42f238 GetWindowContextHelpId
0x42f23c SetThreadDesktop
0x42f240 RegisterClassW
0x42f244 IsWindowVisible
0x42f248 GetCursorPos
0x42f24c CharToOemA
GDI32.dll
0x42f014 CreateDCA
0x42f018 GetDeviceCaps
ADVAPI32.dll
0x42f000 RegGetValueA
0x42f004 RegOpenKeyExA
0x42f008 GetUserNameA
0x42f00c GetCurrentHwProfileA
SHELL32.dll
0x42f200 SHFileOperationA
ole32.dll
0x42f294 CoInitializeSecurity
0x42f298 CoSetProxyBlanket
0x42f29c CoCreateInstance
0x42f2a0 CoInitializeEx
OLEAUT32.dll
0x42f1e0 SysFreeString
0x42f1e4 VariantClear
0x42f1e8 VariantInit
0x42f1ec SysAllocString
PSAPI.DLL
0x42f1f4 EnumProcessModules
0x42f1f8 GetModuleBaseNameA
SHLWAPI.dll
0x42f208 None
EAT(Export Address Table) is none
msvcrt.dll
0x42f254 strncpy
0x42f258 malloc
0x42f25c _wtoi64
0x42f260 ??_V@YAXPAX@Z
0x42f264 atexit
0x42f268 strcpy_s
0x42f26c memchr
0x42f270 strchr
0x42f274 strtok_s
0x42f278 ??_U@YAPAXI@Z
0x42f27c _time64
0x42f280 srand
0x42f284 rand
0x42f288 memmove
0x42f28c __CxxFrameHandler3
KERNEL32.dll
0x42f020 GetEnvironmentStringsW
0x42f024 FreeEnvironmentStringsW
0x42f028 GetModuleFileNameA
0x42f02c HeapSize
0x42f030 WideCharToMultiByte
0x42f034 IsValidCodePage
0x42f038 GetOEMCP
0x42f03c ExitProcess
0x42f040 SetCriticalSectionSpinCount
0x42f044 FlsAlloc
0x42f048 HeapAlloc
0x42f04c GetCurrentProcess
0x42f050 HeapFree
0x42f054 VirtualFree
0x42f058 GetProcessHeap
0x42f05c WriteFile
0x42f060 VirtualAllocExNuma
0x42f064 Sleep
0x42f068 ReadFile
0x42f06c CreateFileW
0x42f070 lstrcatA
0x42f074 MultiByteToWideChar
0x42f078 GetTempPathW
0x42f07c GetLastError
0x42f080 lstrcmpiA
0x42f084 GetProcAddress
0x42f088 VirtualAlloc
0x42f08c GlobalMemoryStatusEx
0x42f090 ConvertDefaultLocale
0x42f094 lstrcmpiW
0x42f098 GetModuleHandleA
0x42f09c VirtualProtect
0x42f0a0 CloseHandle
0x42f0a4 lstrlenA
0x42f0a8 FreeLibrary
0x42f0ac GetThreadContext
0x42f0b0 SetThreadContext
0x42f0b4 ReadProcessMemory
0x42f0b8 VirtualAllocEx
0x42f0bc SetHandleCount
0x42f0c0 VirtualQueryEx
0x42f0c4 OpenProcess
0x42f0c8 GetComputerNameA
0x42f0cc FileTimeToSystemTime
0x42f0d0 WaitForSingleObject
0x42f0d4 GetDriveTypeA
0x42f0d8 CreateProcessA
0x42f0dc CreateDirectoryA
0x42f0e0 GetLogicalDriveStringsA
0x42f0e4 CreateThread
0x42f0e8 CreateFileA
0x42f0ec GetFileSize
0x42f0f0 SetFilePointer
0x42f0f4 MapViewOfFile
0x42f0f8 UnmapViewOfFile
0x42f0fc lstrcpynA
0x42f100 SystemTimeToFileTime
0x42f104 GetTickCount
0x42f108 GetLocalTime
0x42f10c CreateFileMappingA
0x42f110 GetFileInformationByHandle
0x42f114 lstrcpyA
0x42f118 HeapSetInformation
0x42f11c GetCommandLineA
0x42f120 HeapReAlloc
0x42f124 GetCPInfo
0x42f128 GetLocaleInfoW
0x42f12c LoadLibraryW
0x42f130 InterlockedExchange
0x42f134 SetConsoleCtrlHandler
0x42f138 IsProcessorFeaturePresent
0x42f13c GetCurrentThread
0x42f140 InterlockedDecrement
0x42f144 GetCurrentThreadId
0x42f148 SetLastError
0x42f14c InterlockedIncrement
0x42f150 GetACP
0x42f154 TlsFree
0x42f158 TlsSetValue
0x42f15c GetFileType
0x42f160 QueryPerformanceCounter
0x42f164 GetStartupInfoW
0x42f168 GetCurrentProcessId
0x42f16c GetSystemTimeAsFileTime
0x42f170 LCMapStringW
0x42f174 WriteProcessMemory
0x42f178 GetStringTypeW
0x42f17c TlsGetValue
0x42f180 TlsAlloc
0x42f184 RaiseException
0x42f188 IsValidLocale
0x42f18c EnumSystemLocalesA
0x42f190 GetLocaleInfoA
0x42f194 GetUserDefaultLCID
0x42f198 GetModuleFileNameW
0x42f19c GetStdHandle
0x42f1a0 GetModuleHandleW
0x42f1a4 HeapDestroy
0x42f1a8 HeapCreate
0x42f1ac RtlUnwind
0x42f1b0 EnterCriticalSection
0x42f1b4 FatalAppExitA
0x42f1b8 LeaveCriticalSection
0x42f1bc DeleteCriticalSection
0x42f1c0 TerminateProcess
0x42f1c4 UnhandledExceptionFilter
0x42f1c8 SetUnhandledExceptionFilter
0x42f1cc IsDebuggerPresent
0x42f1d0 EncodePointer
0x42f1d4 DecodePointer
0x42f1d8 InitializeCriticalSectionAndSpinCount
USER32.dll
0x42f210 GetDesktopWindow
0x42f214 OpenDesktopA
0x42f218 CreateDesktopA
0x42f21c CloseDesktop
0x42f220 OpenInputDesktop
0x42f224 wsprintfW
0x42f228 IsDialogMessageW
0x42f22c MessageBoxA
0x42f230 GetWindowLongW
0x42f234 ReleaseDC
0x42f238 GetWindowContextHelpId
0x42f23c SetThreadDesktop
0x42f240 RegisterClassW
0x42f244 IsWindowVisible
0x42f248 GetCursorPos
0x42f24c CharToOemA
GDI32.dll
0x42f014 CreateDCA
0x42f018 GetDeviceCaps
ADVAPI32.dll
0x42f000 RegGetValueA
0x42f004 RegOpenKeyExA
0x42f008 GetUserNameA
0x42f00c GetCurrentHwProfileA
SHELL32.dll
0x42f200 SHFileOperationA
ole32.dll
0x42f294 CoInitializeSecurity
0x42f298 CoSetProxyBlanket
0x42f29c CoCreateInstance
0x42f2a0 CoInitializeEx
OLEAUT32.dll
0x42f1e0 SysFreeString
0x42f1e4 VariantClear
0x42f1e8 VariantInit
0x42f1ec SysAllocString
PSAPI.DLL
0x42f1f4 EnumProcessModules
0x42f1f8 GetModuleBaseNameA
SHLWAPI.dll
0x42f208 None
EAT(Export Address Table) is none